I recently presented on this topic at RSA and enough people, who didn’t managed to catch the presentation, asked what the link was between these two seemly unrelated areas, that I promised to write it up for a wider audience – here goes:
Many people assume that the ‘Advanced’ in Advanced Persistent Threats means the use of some incredibly new sophisticated malware but typically that’s not the case. Usually the ‘Advanced’ element is in the research effort and the social engineering to tip a specific target over the edge and get them to click though to a URL of the attackers choosing. Once the attacker has control of a machine on the inside of the corporate perimeter that can become a launching pad to probe for vulnerabilities on machines not directly connected to the internet. Often well-known techniques, for which patches have been available for some time, can succeed for the attacker in this situation because machines on the internal ‘safe’ network are not considered to be at risk by many companies. The human adversary directly controlling the compromised machine has the advantage of time (‘Persistent’) to quietly probe until they discover a weakness they can exploit.
So how should you defend against this targeted attack? We’ll for me it’s about several things in combination to give you the best shot:
- Reduce noise.
Keep your existing outer perimeter in place and use it to keep out all the bad stuff you can. That gives you more chance of spotting something happening out of place on your internal network.
- Build perimeter fractals.
A fractal is a mathematical shape that repeats itself on an ever smaller scale, so that as you zoom in you get back to exactly what you started with. Doing exactly that with your perimeter boosts your defences. Build another layer or two that has to be breached before you lose critical data en mass. I would highly recommend deploying something we call virtual patching for all servers which protects ahead of the real patch, and crucially also reports to you when something has tried to exploit a vulnerability.
- Use specialised software to monitor the internal network traffic
Don’t just look outwards to the big wide world or watch traffic crossing your threshold. Watch also the internal network with Specialised Threat Detection to ensure you are alerted to anything untoward.
- Track back and clean.
When machines attached to your perimeter are being attacked there is usually not much you can do other than block. But when it’s an internal server that’s being attacked then that attack has to come from another internal machine. Blocking that attack is gold dust – not just because you blocked it, but vitally because you now know that one of your internal machines is doing something it shouldn’t and you can remediate that before it (or the adversary controlling it) tries a more sophisticated attack which you might not detect.
- Protect your data
If everything else fails and an adversary does get thorough your defences to access critical data than that shouldn’t be game over. You need a second layer of defences from the inside out which encrypts that data, uses data protection to watch what is exiting the organisation, and understands the contents and the context which they are being used in
- Assume Compromise
The common theme to draw from all of that is to assume that the machine next to yours is already compromised and set your defences accordingly.
It’s that final point, the summary of the preceding six, which provides the link to Cloud Security. In a multi-tenanted environment (IaaS) you should assume that the machine next to yours is out to get you and defend accordingly. Your provider will offer many security features: Perimeter Firewalling, IPS etc and Internal Network Segmentation between their customers - all designed to keep you safe - but typically won’t back those us with SLAs in the licence agreement. Treat all of that as a great thing to reduce noise but assume that stuff may still get at your server or data. Build your own perimeter around your servers to block anything that your provider misses and encrypt your cloud data so that if your provider misplaces it you are still protected. With that also gain the business benefit of being able to switch providers to a lower priced or better performing alternative without worrying about the bread crumbs of sensitive data you are leaving behind.
If it’s an Internal (Private) Cloud the same applies. You’ve bundled services together for cost and operational efficiency and in doing so reduced the separation between them. Assume compromise and put Virtual Separation into the environment, with perimeters and encryption to restore and even enhance your security compared to the physical model, while taking advantage of an agentless approach wherever possible to retain the efficiencies.
So Cloud Security and APT defence may not be Identical Twins - but they can wear the same clothes!